Handling employee DSARs? Top tips in light of the new right to complain

As the volume of data subject access requests (also known as DSARs, the right of access or SARs) continues to grow, fuelled in part by greater awareness of data rights, the use of AI tools to generate requests and follow-up complaints, and the increasing deployment of DSARs as a pre-litigation tactic in workplace disputes, it is ever more important to respond in a compliant and thought-through manner – and within the timescales.

The following principles should guide your response to any DSARs. We have focused here on employment-related DSARs and we therefore use related terminology, but bear in mind any data subject can bring any rights request against a controller – not just employees.

Recognise the DSAR immediately. A DSAR may be made in writing, by email, social media or other electronic means, or even verbally. UK data protection law does not set out formal requirements for a valid request - an individual does not need to use specific language or direct the request to a specific person. Employers should train front-line and HR staff to recognise DSARs and should have a designated person/team and email address for DSARs.
Verify identity and (if needed) authority but do not delay. If necessary, confirm the requester's identity promptly and any necessary authority. If an employee is making the request, it is unlikely you will need to verify their identity but you may need to verify their authority if the request is on behalf of someone else. The clock does not start until identity is verified and any authority needed is obtained.
Clarify scope where appropriate. The one-month time limit can be paused if there is anything in the DSAR that the data controller needs to clarify. Contact the individual as quickly as possible, keep a record of any conversation and explain why further details are being sought. With the codification of "reasonable and proportionate" searches (thanks to the Data (Use and Access) Act 2025), a data controller is only required to conduct "reasonable and proportionate" searches. As this update is effectively codifying existing ICO guidance, we don’t think it will have a big impact on the way you approach DSARs, however data subjects might choose to challenge your approach – but do record how you determine the reasonable and proportionate search to be more resilient from challenge.
Respond within one month or extend. Employers must respond without undue delay and in any event within one month of receipt of the request. This is extendable by up to two further months where the request is complex or where a number of requests have been received. If an extension is justified, you must write to the individual within one month of receipt to explain why.
Apply exemptions carefully. Key exemptions in the employment context include the mixed data exception, legal professional privilege and lawyers’ confidentiality which includes confidential references given for employment purposes, self-incrimination, management planning information where disclosure would prejudice the business activity and settlement negotiations. Avoid making untested assumptions about whether the data is exempt.
Redact third-party data with care. While the level of care and degree of thought required is true for all third-party data redactions, it is clearly demonstrated in the grievance context, where witness statements usually include the personal information of more than one person. Employers should consider the type of information to be disclosed, any duty of confidentiality owed to the other person, whether witnesses were assured of confidentiality by HR and whether the third party remains identifiable even after redaction by what they have said or the way that they have said it.
Provide required supplementary information. This information includes the purposes of processing, retention periods, recipients of the data, the right to rectification and erasure and the right to lodge a complaint. These are commonly set out in the covering letter at the end of the process. It is important to remember that the new right to complain means your letter should make it clear that any complaint should be made to the controller (you) in the first instance before escalating it to the ICO if necessary – though there is no current bar on complaining to the ICO directly.
Keep detailed records of every decision. Document what was searched, what was included or excluded, and why. These records are critical if a complaint follows. The burden of proof is on the employer to justify its approach. Taking the time now will help you defend the position if there is a complaint.

You can see our guidance on complaints here. One aspect that we consider will give rise to complaints is the difference between the release of personal data under a DSAR and what is disclosed in Employment Tribunal disclosure.

DSARs vs Employment Tribunal Disclosure: Key Differences

Employers frequently need to manage DSAR obligations and Employment Tribunal disclosure in series or sometimes simultaneously. The two processes are legally distinct, and one does not replace the other.

The following table summarises the key differences which you need to know so that you can defend your position clearly and knowledgeably in a dispute/data subject complaint.

Feature	DSAR (Data Subject Access Request)	Employment Tribunal Disclosure
What are the rules requiring this?	Article 15 UK GDPR, with some exemptions in the DPA 2018	ET Rules 2024 Rule 33; Presidential Guidance; CPR as applicable
Scope	All personal data relating to the data subject held by the controller, subject to a "reasonable and proportionate" search scope	All documents relevant to the issues in the claim, whether they help or harm either party's case
What is disclosed	Personal data - not whole documents. There is no right to copies of actual documents, only the personal data contained within them	Copies of relevant documents/data, even if they do not contain any personal data
Purpose	Exercise of a data protection right - "purpose blind"; motive is irrelevant although DSARs can be refused if manifestly unfounded or excessive, and commonly reduced in scope to a “reasonable and proportionate” scope	Evidence relevant to the issues to be determined
Timeframe	One month from receipt/ID/authority, extendable by two months for complex cases	As directed by the tribunal; often takes place after the DSAR response
Cost	Free, unless manifestly unfounded or excessive	No specific fee, but costs orders possible for non-compliance
Exemptions	Legal professional privilege, mixed data, lawyers’ confidentiality which includes confidential references, management planning and settlement negotiations, and self-incrimination	Privilege, without prejudice communications
Third-party data	Must be redacted or withheld unless consent given or reasonable to disclose without consent	Redaction may be ordered, but relevant third-party information is generally disclosable if relevant
Ongoing duty	Applies to data held at the date of the request, except in limited circumstances	Ongoing duty throughout the litigation - newly identified relevant documents must be disclosed even after the deadline has passed
Enforceability	Complaint to controller (from 19 June 2026), complaint to ICO, court order, compensation claim	Tribunal orders; sanctions include strike-out, adverse inferences, costs orders
Overlap	You cannot refuse a DSAR because tribunal proceedings are ongoing - the two are distinct obligations	Tribunal disclosure does not discharge DSAR obligations, and vice versa

Top Tips: Managing the Overlap Between DSARs and Tribunal Disclosure

As noted above employers frequently need to manage DSAR obligations and Employment Tribunal disclosure in series or sometimes simultaneously. The two processes are legally distinct, and one does not replace the other. Here are our top tips for managing the overlap:

Treat them as separate obligations. The ICO has previously issued an enforcement notice against an employer for refusing to respond to a DSAR during tribunal proceedings on the basis that the employer would wait until the tribunal directed disclosure. The employee later disclosed to the ICO an email from the tribunal confirming that it did not have powers to relieve employers of their duties under data protection legislation. Even if information has already been disclosed through tribunal proceedings, this does not mean an employer can refuse to comply with a DSAR.
Coordinate internally. Ensure that the team handling the DSAR and the team managing tribunal disclosure communicate to avoid inconsistencies. Consider where time and cost savings can be made by working together.
Plan the DSAR response with awareness of the litigation context. A DSAR response may reveal information not yet captured by tribunal disclosure. Equally, tribunal disclosure may cover documents not captured by a DSAR - for example, business documents relevant to the claim but not containing the employee's personal data. It is important to bear in mind that tribunal disclosure is given to the employee's legal representative, not the employee directly. These are intentionally different disclosures, with different exemptions and at different times. There are good, defensible reasons for that for the reasons set out in the table above.
Apply exemptions consistently. If legally privileged material is withheld from a DSAR, ensure this is consistent with the tribunal disclosure position. In both scenarios, legally privileged documents are exempt from disclosure.
Understand the scope mismatch. A DSAR covers all personal data (broader in that sense), but the employee is only entitled to their personal data, not to copies of actual documents (narrower in that sense). Tribunal disclosure covers all relevant documents regardless of whether they contain personal data, but is limited to documents relevant to the claim. Disclosure obligations in litigation are generally wider and it is therefore highly unlikely that an individual will receive identical data through a DSAR and tribunal disclosure.
Record everything. Document the DSAR and the litigation search methodology, the decisions made, the exemptions used and the rationale. This helps to protect against later complaints and ICO scrutiny, as well as criticism or applications as part of the tribunal process.
Consider extending the DSAR deadline. Where a DSAR is received during tribunal proceedings, the complexity may justify the two-month extension but apply criteria contained in the ICO’s right of access guidance. However, the employer must notify the employee within the first month, and it is the employer's decision whether to extend the deadline.
Do not forget the data protection principles in the tribunal disclosure process. Only disclose relevant data, consider redactions where appropriate, or anonymity orders in limited circumstances, and handle bundles securely.
You cannot limit a data subject’s right of access. The ICO’s right of access guidance states if a settlement agreement you have made with a worker limits their right of access, then it is likely this part of the settlement agreement will be unenforceable under data protection law. It is also important to note that the ICO states signing a settlement or non-disclosure agreement does not waive a worker’s information rights. We can advise you on how to handle that in your specific circumstances. Future DSARs can be assessed on their own merits and we can advise on the right thing to do in the circumstances you face.

As this is a complex and fact-specific area, do let us know if we can assist with any of the areas we have considered above. You may also be interested in watching a recording of our recent webinar on data protection complaints in the employment lifecycle (passcode cy&J3gcJ), reading our article here and our Data protection complaints in the employment context and DSARs – Q&A.